IPSec relies on symmetrical encryption where both sides use the same private
key. This key is known as a Pre Shared Key (PSK). You should ensure that you
manage this key appropriately, so for example be sure that it is not commited
to your configuration management system source control in plain text.

If you are creating a VPN that connects your projects between Catalyst Cloud
Regions, then the Remote Peer Router IP and Remote Peer Subnet CIDR Range will
be the values associated with the subnet and router in the other region. You
can determine these in the same way as shown above while connected to the other
region. If you are setting up a VPN to a different peer, then the Peer Router IP
will be the publicly accessible IPv4 address of that router, while the Remote
Peer Subnet CIDR Range will be the subnet behind that router whose traffic you
wish to route via the VPN to access the local subnet.

Note

If you are connecting to a remote peer that is not a Catalyst Cloud router,
you may need to modify some of the parameters used in the following steps.

By now you should have the required values so you can proceed to create a VPN.
There are four steps to creating a VPN:

You can provide multiple --peer-cidr arguments if you want to tunnel more
than one CIDR range.

You have now stood up one end of the VPN. This process should be repeated at
the other end using the same configuration options and PSK. Once both sides of
the VPN are configured, the peers should automatically detect each other and
bring up the VPN. When the VPN is up, the status will change to ACTIVE.

The Catalyst Cloud team have created a bash script that simplifies the
procedure for creating a VPN. In the case of a region to region VPN, all you
need to know is the router and subnet names for each region. When one peer is
not a Catalyst Cloud router, you will need to know the peer router IP address
and the remote peer CIDR range.

This script will require no modification when setting up region to region VPNs.
If you are using it to connect a Catalyst Cloud router to a non Catalyst Cloud
router, you may need to change some configuration options.

This script currently only supports single CIDR ranges. If you are wanting to
tunnel multiple ranges then it will require some modification.

Note

This script makes used of the jq command line utility for parsing JSON.
You will need to install it before using the script.

You can download the latest version of this script using the following command: